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Abstract 

In the Horn theory based approach for cryptographic protocol 
analysis, cryptographic protocols and (Dolev-Yao) intruders are 
modeled by Horn theories and security analysis boils down to 
solving the derivation problem for Horn theories. This approach 
and the tools based on this approach, including ProVerif, have 
been very successful in the automatic analysis of cryptographic 
protocols w.r.t. an unbounded number of sessions. However, 
dealing with the algebraic properties of operators such as the ex- 
clusive OR (XOR) has been problematic. In particular, ProVerif 
cannot deal with XOR. 

In this paper, we show how to reduce the derivation problem 
for Horn theories with XOR to the XOR-free case. Our reduc- 
tion works for an expressive class of Horn theories. A large class 
of intruder capabilities and protocols that employ the XOR op- 
erator can be modeled by these theories. Our reduction allows 
us to carry out protocol analysis by tools, such as ProVerif, that 
cannot deal with XOR, but are very efficient in the XOR-free 
case. We implemented our reduction and, in combination with 
ProVerif, applied it in the automatic analysis of several proto- 
cols that use the XOR operator. In one case, we found a new 
attack. 



1 Introduction 

In the Horn theory based approach for cryptographic proto- 
col analysis, cryptographic protocols and the so-called Do- 
lev-Yao intruder are modeled by Horn theories. The secu- 
rity analysis, including the analysis of secrecy and authen- 
tication properties, then essentially boils down to solving 
the derivation problem for Horn theories, i.e., the question 
whether a certain fact is derivable from the Horn theory. 
This kind of analysis takes into account that an unbounded 
number of protocol sessions may run concurrently. While 
the derivation problem is undecidable in general, there are 
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very successful automatic analysis tools, with ProVerif [2] 
being one of the most promintent ones among them, which 
work well in practice. 

However, dealing with the algebraic properties of opera- 
tors, such as the exclusive OR (XOR), which are frequently 
used in cryptographic protocols, has been problematic in 
the Horn theory approach. While ProVerif has been ex- 
tended to deal with certain algebraic properties in U , asso- 
ciative operators, which in particular include XOR, are still 
out of the scope. Even though there exist some decidability 
results for the derivation problem in certain classes of Horn 
theories with XOR fQj [20l [14] , the decision procedures have 
not led to practical implementations yet, except for the very 
specific setting in [T3] (see the related work). 

The goal of this work is therefore to come up with a 
practical approach that allows for the automatic analysis 
of a wide range of cryptographic protocols with XOR, in 
a setting with an unbounded number of protocol sessions. 
Our approach is to reduce this problem to the one without 
XOR, i.e., to the simpler case without algebraic properties. 
This simpler problem can then be solved by tools, such as 
ProVerif, that a priori cannot deal with XOR, but are very 
efficient in solving the XOR-free case. More precisely, the 
contribution of this paper is as follows. 

Contribution of this paper. We consider an expressive 
class of (unary) Horn theories, called ©-linear (see Sec- 
tion [3]). A Horn theory is ©-linear, if for every Horn clause 
in this theory, except for the clause that models the in- 
truder's ability to apply the XOR operator {I{x),I{y) — > 
I{x(By)), the terms that occur in these clauses are ©-linear. 
A term is ©-linear if for every subterm of the form t(Bt' in 
this term, it is true that t or t' does not contain variables. 
We do not put any other restriction on the Horn theories. 
In particular, our approach will allow us to deal with all 
cryptographic protocols and intruder capabilities that can 
be modeled as ©-linear Horn theories. 

We show that the derivation problem for ©-linear Horn 
theories with XOR can be reduced to a purely syntactic 
derivation problem, i.e., a derivation problem where the al- 
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gebraic properties of XOR do not have to be considered any- 
more (see Section [3l IH and [5]) . Now, the syntactic deriva- 
tion problem can be solved by highly efficient tools, such 
as ProVerif, which cannot deal with XOR. We believe that 
the techniques developed in this paper are interesting be- 
yond the case of XOR. For example, using these techniques 
it might be possible to also deal with other operators, such 
as Diffie-Hellman-Exponentiation. 

Using ProVerif, we apply our two step approach — first 
reduce the problem, then run ProVerif on the result of the 
reduction — to the analysis of several cryptographic proto- 
cols that use the XOR operator in an essential way (see 
Section [S]). The experimental results demonstrate that our 
approach is practical. In one case, we found a new attack 
on a protocol. 

We note that a potential alternative to our approach is to 
perform unification modulo XOR instead of syntactic uni- 
fication in a resolution algorithm such as the one employed 
by ProVerif. Whether or not this approach is practical is 
an open problem. The main difficulty is that unification 
modulo XOR is much more inefficient than syntactic unifi- 
cation; it is NP-complete rather than linear and, in general, 
there does not exist a (single) most general unifier. 

Related work. In [HI , classes of Horn theories (secu- 
rity protocols) are identified for which the derivation prob- 
lem modulo XOR is shown to be decidable. These classes 
are orthogonal to the one studied in this paper. While 0- 
linearity is not required, other restrictions are put on the 
Horn clauses, in particular linearity on the occurrence of 
variables. The classes in [9j[20] do, for example, not contain 
the Recursive Authentication and the SK3 protocol, which, 
however, we can model (see Section [6]). To the best of our 
knowledge, the decision procedures proposed in ^9ji20j have 
not been implemented. The procedure proposed in [5] has 
non-elementary runtime. 

In [H m [HI, the IBM 4758 CCA API, which we also 
consider in our experiments, has been analyzed. Notably, 
in [14] a decision procedure, along with an implementation, 
is presented for the automatic analysis of a class of security 
protocols which contains the IBM 4758 CCA API. However, 
the protocol class and the decision procedure is especially 
tailored to the IBM 4758 CCA API. The only primitives 
that can be handled are the XOR operator and symmetric 
encryption. All other primitives, such as pairing, public-key 
encryption, and hashing, are out of the scope of the method 
in [11]. The specification of the IBM 4758 CCA API in [14] 
is hard coded in a C implementation. 

In [4], it is described how the basic resolution algorithm 
used in ProVerif can be extended to handle some equational 
theories. However, as already mentioned in that work, as- 
sociative operators, such as XOR, are out of the scope of 
this extension. 



In [11 , the so-called finite variant property has been stud- 
ied for XOR and other operators. It has been used (implic- 
itly or explicitly) in other works [12l E] , and also plays a 
role in our work (see Section |4]). 

In [3 [TS], decision procedures for protocol analysis 
with XOR w.r.t. a bounded (rather than an unbounded) 
number of sessions are presented. The notion of ©-linearity 
that we use is taken from the work in [15] . That work also 
contains some reduction argument. However, our work is 
different to [TS] in several respects: First, of course, our 
approach is for an unbounded number of sessions, but it is 
not guaranteed to terminate. Second, the class of proto- 
cols (and intruder capabilities) we can model in our setting 
is much more general than the one in |15j . Third, the re- 
duction presented in [T^j heavily depends on the bounded 
session assumption; the argument would not work in our 
setting. Fourth, the reduction presented in jl5| is not prac- 
tical. 

Structure of this paper. In Section[2l we introduce Horn 
theories and illustrate how they are used to model crypto- 
graphic protocols by a running example. The notion of 
©-linearity is introduced in Section [31 along with a propo- 
sition that is the key to our main result, i.e., the reduction. 
The reduction is then presented in Section |4l with exten- 
sions to authentication presented in Section [S] We discuss 
our implementation and experimental results in Section [6l 
Proofs omitted in the main part of the paper are presented 
in the appendix. 

We point the reader to [17 for our implementation. 

2 Preliminaries 

In this section, we introduce Horn theories modulo the XOR 
operator and illustrate how these theories are used to model 
the so-called Dolev-Yao intruder and cryptographic proto- 
cols by a running example. 

Horn theories 

Let E be a finite signature and ^ be a set of variables. The 
set of terms over S and V is defined as usual. By var(t) we 
denote the set of variables that occur in the term t. We as- 
sume S to contain the binary function symbol © [exclusive 
OR), as well as a constant 0. To model cryptographic proto- 
cols, E typically also contains constants (atomic messages), 
such as principal names, nonces, and keys, the unary func- 
tion symbol hash(-) (hashing), the unary function symbol 
pub(-) [public key), and binary function symbols such as 
(•, •) [pairing), {•}. [symmetric encryption), and -J-^. [pub- 
lic key encryption). The signature S may also contain any 
other free function symbol, such as various kinds of signa- 
tures and MACs. We only require that the corresponding 



2 



intruder rules are ©-linear (see Section |3]), which rules that 
do not contain the symbol © always are. 

Ground terms, i.e. terms without variables, are called 
messages. For a unary predicate q and a (ground) term 
t we call q{t) a (ground) atom. A substitution is a finite 
set of pairs of the form a — {ii/xi, . . . , t„/a;„}, where 
ti, . . . ,tn are terms and xi, . . . ,Xn are variables. The set 
dom((7) — {xi, . . . ,Xn} is called the domain of a. We de- 
fine (7(x) = X if X ^ dom(cr). The application ta of tr to a 
term/atom/set of terms t is defined as usual. 

We call a term standard if its top-symbol is not ©; oth- 
erwise, it is called non-standard. For example, the term 
(a, b(B a) is standard, while & © a is non-standard. 

A non-standard subterm s of i is called complete, if either 
s = t or s occurs in < as a direct subterm of some standard 
term. For instance, for t — {a(B{{x (By) (B z}^, b), the terms 
a(B{{x (By) (B z}y and {x(By)(Bz are complete non-standard 
subterms of t, but x (By is not. 

To model the algebraic properties of the exclusive OR 
(XOR), we consider the congruence relation ~ on terms 
induced by the following equational theory (see, e.g., [TH 

my- 

x(By^y®x {x (B y) ® z ^ x ® {y ® z) (1) 
a:©x = a;©0 = x (2) 

For example, we have that t^x = a©&©{0}j.©&©{c © c}^ ~ 
a. (Due to the associativity of © we often omit brackets and 
simply write a © & © c instead of (a © 6) © c or a © (6 © c).) 
For atoms q{t) and q'{t'), we write q{t) ^ q'{t') if q ~ q' 
and t ^ t' . We say that two terms are equivalent modulo 
AC, where AC stands for associativity and commutativity, 
if they are equivalent modulo (P). A term is (B-reduced if 
modulo AC, the identities ([2]), when interpreted as reduc- 
tions from left to right, cannot be applied. Clearly, every 
term can be turned into ©-reduced form and this form is 
uniquely determined modulo AC. For example, a is the ©- 
reduced form of t^x. 

A Horn theory T is a finite set of Horn clauses of the 
form ai, . . . ,a„ — > ag, where Oi is an atom for every i G 
{0, . . . , n}. We assume that the variables that occur on the 
right-hand side of a Horn clause also occur on the left-hand 
SI If n = 0, i.e., the left-hand side of the clause is always 
true, we call the Horn clause oq a fact. 

Given a Horn theory T and a ground atom a, we say 
that a can syntactically be derived from A w.r.t. T (written 
T h a) if there exists a derivation for a from T, i.e., there 
exists a sequence tt = 6i , . . . , 6; of ground atoms such that 
bi = a and for every i G {1, . . . , ^} there exists a substitution 
a and a Horn clause ai, . . . ,a„ —>■ aoinT such that oocr = bi 
and for every j e {1, . . . , n} there exists fc G {1, . . . , i — 1} 



^ This assumption can easily be relaxed for variables that are substi- 
tuted only be cetrain "good" terms, where "good" means C-dominated 
(see Section Is} 



I(a;) ^ I(hash(a;)) I{x),I{y) ^ I{{x,y)) 

Ii{x,y))^lix) l{{x,y))^l{y) 
I{x),I{y)^I{{x}^), Ii{x}^),I{y)^I{x) 

i{x), i(pub(y)) ^ im,.,(y)), HM,u,^y)), m 

l{x),I{y) ^I{x®y) 

Figure 1: Intruder Rules. 

with aja — b^. In what follows, we sometimes refer to hi by 
7r(i) and to bi, . . . ,bi by 7r<i. The length I of a derivation 
TT is referred to by |7r|. 

We call a sequence 6i , . . . , 6/ of ground atoms an in- 
complete syntactic derivation of a from T if bi = a and 
T U {bi, bi^i} h bi for every ie {!,..., bi}. 

Similarly, we write T he a if there exists a derivation 
of a from T modulo XOR, i.e., there exists a sequence 
bi, . . . ,bi of ground atoms such that bi ^ a and for ev- 
ery i G {1, . . . , ^} there exists a substitution a and a Horn 
clause ai, . . . , a„ — > aq in T such that aocr ^ bi and for 
every j g {1, . . . ,n} there exists k £ {1, . . . ,i — 1} with 
aja bk. Incomplete derivations modulo XOR are defined 
analogously to the syntactic case. 

Given T and a, we call the problem of deciding whether 
T a {T [-^ a) is true, the deduction problem (modulo 
XOR). In case T models a protocol and the intruder (as 
described below), the fact that T he a, with a = l{t), is not 
true means that the term t is secret, i.e., the intruder cannot 
get hold of t even when running an unbounded number of 
sessions of the protocol and using algebraic properties of 
the XOR operator. 

Modeling Protocols by Horn theories 

Following [2], we now illustrate how Horn theories can be 
used to analyze cryptographic protocols, where, however, 
we take the XOR operator into account. While here we con- 
centrate on secrecy properties, authentication is discussed 
in Section [51 As mentioned in the introduction, the Horn 
theory approach allows us to analyze the security of proto- 
cols w.r.t. an unbounded number of sessions and with no 
bound on the message size in a fully automatic and sound 
way. However, the algorithms are not guaranteed to termi- 
nate and may produce false attacks. 

A Horn theory for modeling protocols and the (Dolev- 
Yao) intruder uses only the predicate I. The fact lit) means 
that the intruder may be able to obtain the term t. The 
fundamental property is that if l{t) cannot be derived from 
the set of clauses, then the protocol preserves the secrecy of 
t. The Horn theory consists of three sets of Horn clauses: 
the initial intruder facts, the intruder rules, and the pro- 
tocol rules. The set of initial intruder facts represents the 
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initial intruder knowledge, such as names of principals and 
public keys. The clauses in this set are facts, e.g., 1(a) (the 
intruder knows the name a) and I(pub(sfcQ)) (the intruder 
knows the public key of a, with ska being the corresponding 
private key). The set of intruder rules represents the intrud- 
ers ability to derive new messages. For the cryptographic 
primitives mentioned above, the set of intruder rules con- 
sists of the clauses depicted in Figure [H The last clause in 
this figure will be called the (B-rule. It allows the intruder 
to perform the XOR operation on arbitrary messages. The 
set of protocol rules represents the actions performed in 
the actual protocol. The ith protocol step of a principal 
is described by a clause of the form I(ri), . . . , l{ri) — * I(si) 
where the terms rj, j € {!,...,?}, describe the (patterns of) 
messages the principal has received in the previous z— 1st 
steps plus the (pattern of the) message in the ith step. The 
term l{si) is the (pattern of) the ith output message of the 
principal. Given a protocol P, we denote by Tp the Horn 
theory that comprises all three sets mentioned above. 

Let us illustrate the above by a simple example protocol, 
which we will use as a running example throughout this 
paper. Applications of our approach to more complex pro- 
tocols are presented in Section [6?2l We emphasize that the 
kind of Horn theories outlined above are only an example 
of how protocols and intruders can be modeled. As already 
mentioned in the introduction, our methods applies to all 
0-linear Horn theories. 

Running example 

We consider a protocol that was proposed in [7J. It is a 
variant of the Needham-Schroeder-Lowe protocol in which 
XOR is employed. The informal description of the protocol, 
which we denote by Pmsl^^ , is as follows: 



(1) 


A- 


^ B : 




(2) 


B - 


A : 


m,N®B)i^^,^^,^^ 


(3) 


A- 


-> B : 


•ll^^|}pub(sfcB) 



where TV and AI are nonces generated by A and B, respec- 
tively. As noted in [3, this protocol is insecure; a similar 
attack as the one on the original Needham-Schroeder pro- 
tocol can be mounted, where, however, now the algebraic 
properties of XOR are exploited. 

To illustrate how this protocol can be modeled in terms 
of Horn theories, let P be a set of participant names and 
H C P be the set of names of the honest participants. As 
proved in [10] , for the secrecy property it suffices to consider 
the case P = {a, b} and H = {a} (for authentication three 
participants are needed). In the following, ska, for a £ P, 
denotes the private key of a, n(a, b) denotes the nonce sent 
by a G P to 6 G P in message 1., and m{b,a) denotes the 
nonce generated by b and sent to a in message 2. 



The initial intruder knowledge is the set {1(a) | a G P} U 
{I(pub(sfca)) I a e P} U {liska) I a e P \ H} of facts. The 
intruder rules are those depicted in Figure [T] The first step 
of the protocol performed by an honest principal is modeled 
by the facts: 

for a e H, 6 e P. Note that it is not necessary to model 
messages sent by dishonest principals, since these are taken 
care of by the actions that can be performed by the intruder. 

The second step of the protocol performed by an honest 
principal is modeled by the clauses: 

for 5 G H, a S P. The third step of the protocol performed 
by an honest principal is modeled by the clauses: 

nia, b) ® 6)^p,b(sfe.)) - K^J^puK.fc,)) (4) 

for a S H, 6 G P. The set of Horn clauses defined above is 
denoted by Tp^^^ . It is not hard to verify that we have 
TpNSLf^ he to(5, a) for every a, 6 G H. In fact, secrecy of the 
nonces sent by an honest responder to an honest initiator 
is not guaranteed by the protocol [7] . 

3 Dominated Derivations 

In Section m we show how to reduce the deduction problem 
modulo XOR to the one without XOR for ©-linear Horn 
theories, introduced below. This reduction allows us to re- 
duce the problem of checking secrecy for protocols that use 
XOR to the case of protocols that do not use XOR. (The 
authentication problem will be considered in Section [5j) 
The latter problem can then be solved by tools that cannot 
deal with XOR, such as ProVerif. The class of protocol and 
intruder capabilities that we can handle this way is quite 
large: It contains all protocol and intruder rules that are 
©-linear. 

In this section, we prove a proposition that will be the key 
to the reduction. Before we can state the proposition, we 
need to introduce ©-linear Horn theories and some further 
terminology. 

A term is (B-linear if for each of its subterms of the form 
i©s, where t and s may be standard or non-standard terms, 
it is true that t or s is ground. In other words, if a term t 
contains a subterm of the form © • • ■ ® with n > 2, ti 
standard for every i, and there exists i and j, i ^ j, such 
that ti and tj are not ground, then t is not ©-linear. For 
example, for variables x, y, z and a constant a, the term 
^Ix — (a, a © {x, y)) is ©-linear, but the term t\^ — {a, a® 
{x,y) © z) is not. A Horn clause is called ©-linear if each 
term occurring in the clause is ©-linear. A Horn theory is 
©-linear if each clause in this theory, except for the ©-rule 
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(see Fig. [Ij, is ©-linear. In particular, given a protocol P, 
the induced theory Tp is ©-linear if the sets of protocol and 
intruder rules, except for the ©-rule, are. 

Our running example is an example of a protocol with 
an ©-linear Horn theory (note that, in ^ and b is 
a constant); other examples are mentioned in Section 16.21 
Also, many intruder rules are ©-linear. In particular, all 
those that do not contain the XOR symbol. For example, 
in addition to the cryptographic primitives mentioned in 
Figure [H other primitives, such as various kinds of signa- 
tures, encryption with prefix properties, and MACs have 
©-linear intruder rules. 

Besides ©-linearity, we also need a more fine-grained no- 
tion: C-domination. Let C be a finite set of standard ©- 
reduced ground terms such that C does not contain two el- 
ements m, m' with m ^ m' and m ^ m' . (For the efficiency 
of our reduction (Section |4]), it is important to keep C as 
small as possible.) Let = {t \ there exist ci, . . . , c„ £ C 
such that t ~ ci © • • • © c„} be the ©-closure of C. Note 
that G C®. Finally, let C = {i | t ~ t' G C, t standard}. 

Now, a term is C- dominated if, for each of its subterms 
of the form t © s, where t and s may be standard or non- 
standard, it is true that t or s is in C®. For example, the 
term from above is {a}-dominated, but is is not {&}- 
dominated. The term t^^ is not {a}-dominated. A Horn 
clause is C-dominated, if the terms occurring in this clause 
are C-dominated; similarly for derivations. Finally, a Horn 
theory T is C-dominated if each clause in T, except for 
the ©-rule, is C-dominated. For example, we have that 
the Horn theory Tp„„ of our running example is {a, 6}- 
dominated. (Recall that P = {a, 6}.) 

C-dominated terms can also be characterized in terms of 
what we call bad terms. We call a non-standard term t had 
(w.r.t. C), if i c © ii © . . . © for c G C®, pairwise ©- 
distinct standard terms ti, . . . ,t„ ^ C, and n > 1, where t 
and t' are (B- distinct if i 7^ i'. A non-standard term which 
is not bad is called good. The following lemma is easy to 
see: 

Lemma 1. An (B-reduced term is C-dominated iff it con- 
tains no had suhterms. 

There is an obvious connection between ©-linearity and 
C-domination: 

Lemma 2. For every (B-linear term/Horn theory /deriva- 
tion there exists a finite set C of standard ® -reduced mes- 
sages such that the term/Horn theory /derivation is C-dom- 
inated. 

The set C mentioned in the lemma could be chosen to 
be the set of all ground standard terms occurring in the 
term/Horn theory/derivation. However, C should be chosen 
as small as possible in order to make the reduction presented 
in Section [4] more efficient. 



As mentioned, the following proposition is the key to our 
reduction. The proposition states that C-dominated Horn 
theories always allow for C-dominated derivations. Because 
of Lemma [21 the proposition applies to all ©-linear Horn 
theories. 

Proposition 1. Let T he a C-dominated Horn theory and 
h he a C-dominated fact. If T h® h, then there exists a C- 
dominated derivation modulo XOR for h from T . 

Before we present the proof of this proposition, we in- 
troduce some terminology, which is also used in subsequent 
sections, and sketch the idea of the proof. We write t ~c i' 
lit' ^ c®t (or equivalently, c © i' ~ i) , for some c G C® . 

For the rest of this section we fix a derivation tt modulo 
XOR for h from T. W.l.o.g. we may assume that each term 
occurring in tt is in ©-reduced form and that each term in 
a substitution applied in tt is in ©-reduced form as well. 

The key definitions for the proof of Proposition [1] are the 
following ones: 

Definition 1. For a standard term i, the set C, and the 

derivation tt, we define the type of t (w.r.t. tt and C), 
written i, to be an ©-reduced element c of C® such that 
7r(i) ~ I(c © t) for some i, and for each j < i, it is not true 
that 7r(j) ^ I(c' ©t) for some c' G C®. If such an i does not 
exist, we say that the type of t is undefined. 

Note that the type of a term is uniquely determined mod- 
ulo AC and that equivalent terms (w.r.t. ^) have equivalent 
types. 

In the following definition, we define an operator which 
replaces standard terms in bad terms which are not in C 
by their types. This turns a bad term into a good one. 
To define the operator, we use the following notation. We 
write ipi^[xi, . . . , x„] for a term which is built only from ®, 
elements of C, and the pairwise distinct variables xi, . . . ,Xn 
such that each Xi occurs exactly once in ip^ [xi , . . . , Xn] . An 
example is (p^[xi, X2, x^] = ((xi©a;2)©(a©a;3)), where a G 
C. For messages ii, . . . , t„, we write v^e [^ij ■ ■ • i in] for the 
message obtained from (/p® [xi , . . . , Xn] by replacing every Xi 
by ti, for every i G {1, . . . , n}. Note that each non-standard 
term can be expressed in the form 1^9® [ii, . . . ,t„\ for some 
(/?® as above and standard terms ti, . . . ,tn ^ C. 

Definition 2. For a message t, we define A(t) as fol- 
lows: If f is a bad term of the form 1^9® [ii, . . . , i„] for 
some (/3® as above and standard terms ii, . . . , i„ ^ C, then 
A(t) = i^®[ii, . . . ,t„]; A(i) is undefined, if one of those U 
is undefined. Otherwise (if t is good), we recursively apply 
A to all direct subterms of t. 

We will see fLemma fTO)) that if t occurs in tt, then the types 
of ti in the above definition are always defined. Note also 
that A is defined with respect to the given tt and C. 
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Now, the main idea behind the proof of Proposition [T] Lemma 9. Assume that pi(ri), . . . ,p„(r„) — > po{s) is a 
is to apply A(-) to n. We then show that (i) A(7r) is an C-dominated Horn clause, 9 is an ^-reduced ground sub- 
incomplete C-dominated derivation modulo XOIi for b boTa stitution, w,ui, . . . ,u„ are (B-reduced messages such that 
T and (ii) to obtain a complete derivation only C-dominated w ^ s6 and Ui ^ riO, for i e {1, . . . , n}. 
terms are needed. The details of the proof are presented // w' is a complete bad subterm of w, then there exists 
next, by a series of lemmas, some of which are also used in a complete bad subterm u' of Ui, for some i G {1, . . . , n}, 
Section [4l such that u' ~c . 



Proof of Proposition [Jl The following lemma is easy to 
show by structural induction on s: 

Lemma 3. Let s and t be messages such that s is ®- 
reduced, s contains a complete bad subterm s' , and s t. 
Then, there exists a complete bad subterm t' of t such that 
t' - s'. 

The following lemma, whose proof can be found in the 
appendix, says that when substituting variables in a C- 
dominated term, then complete bad terms that might have 
been introduced by the substitution cannot be canceled out 
by the C-dominated term. 

Lemma 4. Let rO t, for a term t, an ®-reduced substitu- 
tion 9, and a C-dominated term r. Then, for each complete 
bad subterm r' of rO there exists a complete (bad) subterm 
t' of t such that t' r' . 

We now show (see the appendix) that if an instance of a 
C-dominated term contains a complete bad subterm, then 
this term (up to ^q) must be part of the substitution with 
which the instance was obtained. 

Lemma 5. Let 9 be a ground substitution and s be a C- 
dominated term. Assume that t is a complete bad subterm 
of s9. Then, there exists a variable x and a complete bad 
subterm t' of 9{x) such that t' ~(; t. 

The converse of Lemma [5] is also easy to show by struc- 
tural induction on s. 

Lemma 6. Let 9 be a ground substitution and s be a C- 
dominated term. If s9 is C-dominated, then so is 9{x) for 
every x G var(s). 

Similarly to Lemma[5l we can prove the following lemma. 
The main observation is that A(c©i) ~ c©A(t), for c G C®. 

Lemma 7. A{s9) ~ s{A9), for a C-dominated term s and 
a substitution 9. 

Another basic and simple to prove property of A is cap- 
tured in the following lemma. 

Lemma 8. Let s and t be terms such that s ^ t. Then, 
A{s)^A{t). 

The following lemma says that if an instance of a C- 
dominated Horn clause contains a complete bad subterm 
on its right-hand side, then this term (up to ~c) already 
occurs on the left-hand side. 



Proof. Suppose that w' is a complete bad subterm of w. 
Because w ^ s9 and w is ©-reduced, by Lemma [H there 
exists a complete bad subterm t of s9 with w' ~ t. By 
Lemma[5l there exists a variable x € var(s) and a complete 
bad subterm t' of 9[x) with t' ~q t. Because x, as a variable 
of s, has to occur also in for some i &{!,... , n}, the term 
t' is a (not necessarily complete) subterm oi ri9. Since is 
C-dominated, there exists a complete subterm r' of ri9 with 
r' ~c t'- Now, recall that t' ~c t and t ^ w' . It follows 
that r' ~(; w' . Furthermore, since w' is bad, so is r' . Now, 
by Lemma HI there exists a complete bad subterm u' of ui 
such that u' ~c f' — c w' . □ 

The following lemma connects bad terms that occur in a 
derivation with the types of their subterms. 

Lemma 10. For every n > 1, if Tr{i) ^ I(c © © • • • © 
tn), for c £ C® and pairwise (B-distinct standard terms 
ti, . . . ,tn ^ C, then, for each k G {1, . . . , n}, there exists 
j < i such that 7r(j) ~ l{tk. ffi tk). 

Proof. If n = 1, then l{ti © ti) belongs to 7r<i, by the 
definition of types. 

Now, suppose that n > 1. In that case we will show, by 
induction on i, something more than what is claimed in the 
lemma: If t with i ~ c © © • • • © c G C®, and pairwise 
©-distinct standard terms ti ^ C, occurs as a complete bad 
subterm in 7r(i), then, for each k G {1, . . . there exists 
j < i such that 7r(j) ~ l{ik © tk). 

Suppose that t, as above, occurs as a complete bad sub- 
term in 7r(i). 

If there exists t' such that t' ~c t and t' occurs in 7r<i 
as a complete subterm, then we are trivially done by the 
induction hypothesis. (Note that t' is bad since t is.) So, 
suppose that such a t' does not occur in 7r<j as a complete 
subterm. By Lemma |9l 7r(i) cannot be obtained by a C- 
dominated Horn clause. Thus, 7r(j) is obtained by the ©- 
rule, which means that 7r(i) — I(u) with u ^ s © r for 
some I(s) and I(r) occurring in 7r<i. We may assume that 
s ^ d © si © • ■ • ffi Sp, with d G C® , and pairwise ffi-distinct 
©-reduced standard terms si, . . . , Sp ^ C, and r ~ e © ri © 
• • • (B rq, with e G C®, and pairwise ffi-distinct ffi-reduced 
standard terms ri, . . . , rg ^ C. 

According to our assumption, neither s nor r contains 
a complete subterm t' with t' c^c t. In particular, neither 
s nor r contains t' with t' ~ t. So, since 7r(«) I(s © r) 
contains t as a complete subterm, it must be the case that 
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t s (B r. Now, with t ^ c ® ii © . . . © i„, as above, 
and k G {1, . . . , n} it follows that either si ^ tk or n ~ 
tk, for some I. Suppose that the former case holds (the 
argument is similar for the latter case) . If p > 1 (and thus 
s is a bad term), then, by the induction hypothesis, we know 
that there exists j < i such that 7r(j) ~ 1(5; © si). Since 
tfc ~ s;, we have that ~ s;, and hence, 7r(j) ~ l(t]^ © t]^). 
Otherwise, s ~ d(Btk, and hence, by the definition of types, 
there exists j < i with 7r(j) ~ I{tk © tk)- □ 

The following lemma is the key in proving that A(7r) is 
an incomplete derivation modulo XOR. 

Lemma 11. For every i < |7r|, i/ I(c © © • • ■ © t„), 
for some c G C® and pairwise (B-distinct standard terms 
ti, . . . , t„ ^ C, belongs to 7r<i, then there is a derivation for 
I(c © fi © • ■ • © in) from A(7r<i) modulo XOR. 

Proof If n = or n > 1, then I(c©ti © ■ • • ffif„) ~ I(A(c© 
ti©- • -©in)) by the definition of A, and hence, I(c©fi©- • •© 
tn) can be derived from A(7r<i). So suppose that n — 1. 
Since we have I(c © fi) in 7r<i, then, by the definition of 
types, we also have (Bti) in 7r<i. Thus, by the definition 
of A, I(c © A(ti)) and © A{ti)) are in A(7r<j). From 
these one obtains I(c © fi) by applying the ©-rule. □ 

Now, we can finish the proof of Proposition[TJ First, note 
that every non-standard message in A(7r) is C-dominated. 
This immediately follows from the definition of A. We will 
now show (*): For each i G {1, . . . , |7r|}, A(7r(i)) can be de- 
rived from A(7r<j) modulo XOR by using only C-dominated 
terms. This then completes the proof of Proposition [T] 

Recall that we assume that tt is ©-reduced and that in 
this derivation we use only ©-reduced substitutions. To 
prove (*), we consider two cases: 

Case 1. 7r(i) is obtained from 7r<i using a C-dominated Horn 
clause R = (pi(si), . . . ,p„(s„) — > Po(so)) of T: Then there 
exists a ©-reduced substitution 9 such that 7r(i) Po{so&) 
and the atoms pi(si0), . . . ,p„(sn0) occur in 7r<i modulo 
XOR. Thus, by Lemma pi(A(si6')), . . . ,p„(A(s„6')) oc- 
cur in A(7r<i) modulo XOR. Now, by Lemma [71 we have 
that A(sj6') ~ Si{M), for every i G {0, Thus, by 

applying R with the substitution A(6'), we obtain A(7r(z)) ^ 
A(so0)^so(A(0)). 

Case 2. Tr{i) is obtained by the ©-rule: Hence, there are two 
atoms I(s) and I(r) in 7r<i such that 7r(i) ~ I(s©r). We may 
assume that s~c©si©---©Sm, with c G C®, and pairwise 
©-distinct ©-reduced standard terms si, . . . , Sm ^ C, and 
r ~ d © ri © ■ • ■ © r;, with c? G C®, and pairwise ©-distinct 
©-reduced standard terms ri, . . . ,ri ^ C. Let {ti, . . . , <„} = 
iS\R)UiR\S), for S = {si, sm} and R ^ {ri, ... ,ri}. 
Then, 7r(z) ~ I(s © r) /(c © d © © • • • © t„). By Lemma 
[TT| we know that I(c© si © • • • © s^) and I(d©fi © • • • ©n) 



can be derived from A(7r<i) modulo XOR. Hence, l{t') with 
t' = c©(i©fi © • ■ • ©t„ can be derived from A(7r<i) as well 
(by applying the ©-rule). Now, let us consider two cases: 

(a) n = or n > 1: In this case, we have that A(7r(i)) ~ 
l{t'), and hence, A(7r(i)) can be derived from A(7r<i). 

(b) n = 1: Because I(cffisi©- • -©s™) and I(d©ri©- ■ -©n) 
occur in 7r<i modulo XOR, by Lemma [TOl I(ii ©ii) oc- 
curs in 7r<i modulo XOR as well. Thus, by Lemma [51 
I(fi © A(ti)) occurs in A(7r<i) modulo XOR. Now, 
because l{t'), with t' = c © d © ti, can be derived 
from A(7r<i) modulo XOR, so can I(c © d © A{ti)) ~ 
A(7r(i)). □ 

4 The Reduction 

In this section, we show how the deduction problem mod- 
ulo XOR can be reduced to the deduction problem without 
XOR for C-dominated theories. More precisely, for a C- 
dominated theory T, we show how to effectively construct 
a Horn theory T+ such that a (C-dominated) fact can be 
derived from T modulo XOR iff it can be derived from 
in a syntactic derivation, where XOR is considered to be 
a function symbol without any algebraic properties. As 
mentioned, the syntactic deduction problem, and hence, 
the problem of checking secrecy for cryptographic proto- 
cols w.r.t. an unbounded number of sessions, can then be 
solved by tools, such as ProVerif, which cannot deal with 
the algebraic properties of XOR. 

In the remainder of this section, let T be a C-dominated 
theory. In what follows, wc will first define the reduction 
function, which turns T into , and state the main re- 
sult (Section 14. ip . namely that the reduction is sound and 
complete as stated above. Before proving this result in Sec- 
tion [321 we illustrate the reduction function by our running 
example (Section |4?2)) . 

4.1 The Reduction Function 

The reduction function uses an operator which turns 
terms into what we call normal form, and a set T,(t) of 
substitutions associated with the term t. We first define 
this operator and the set S(t). The operator is defined 
w.r.t. a linear ordering <^ on C, which we fix once and for 
all. 

Definition 3. For a C-dominated term t, we define the 
normal form of t, denoted by '~t~', recursively as follows: 

• If i is a variable, then '~t~' — t. 

• If t = /(ii, . . . , t,i) is standard, then '~t~' ~ 
/(^ti^,...,^i„^). 

• If t G C® is non-standard and t ^ ci © • • • © c„, for 
some pairwise ©-distinct ci,...,c„ G C, n > 1, such 
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that ci <c • ■ • <c c„, then = '"ci"' ® ('"02"' ©(•■•© 

• If i is non-standard and i ^ c (B t', for some c £ C®, 
c 7^ 0, and standard t' not in C, then T = '"c"' 

We say that a term t is in normal form, if t — ^t"'. A 
substitution is in normal form, if 6{x) is in normal form 
for each variable x in the domain of 9. 

It is easy to see that '~t~' — ^s~' for C-dominated terms 
t and s iff t ~ s, and that '~t~' is ©-reduced for any t. By 
C® we denote the set {'~c~' | c G C®}. Clearly, this set is 
finite and computable in exponential time in the size of C. 

To define the set of substitutions, we need the notion 
of fragile subterms. For a C-dominated term t, the set of 
fragile subterms oft, denoted by J-{t), is J-{t) = {s | s is 
a non-ground, standard term which occurs as a subterm of 
t in the form t' © s or s © i' for some t'}. For example, 
jc-((a© (x,6})©6) = {{x,b)}. 

We are now ready to define the (finite and effectively com- 
putable) set of substitutions for a C-dominated term 
t. The main property of this set is the following: For every 
C-dominated, ground substitution 9 in normal form, there 
exists a substitution a G and a substitution 9' such 
that '~t9~' = {'~ta~')6'. In other words, the substitutions 
in Y,{t) yield all relevant instances of t. All ground, nor- 
malized instances are syntactic instances of those instances. 
This resembles the finite variant property of XOR TT] men- 
tioned in the introduction. However, our construction of 
is tailored and optimized towards C-dominated terms 
and substitutions. More importantly, we obtain a stronger 
property in the sense that the equality — ^t9~' = ('~t(T~')9' — 
is syntactic equality, not only equality modulo AC; the no- 
tion of C-domination, which we introduced here, is crucial 
in order to obtain this property. Having syntactic equality 
is important for our reduction in order to get rid of algebraic 
properties completely. 

Definition 4. Let t be a C-dominated term. We define a 
family of substitutions T,{t) as follows. The domain of every 
substitution in I]{t) is the set of all variables which occur 
in some s G J'{t). Now, ct G S, if for each x G dom{a) one 
of the following cases holds: 

(i) a{x) = X, 

(ii) X G J-'{t) and a{x) = c(B x, for some c G C® i.^^, c ^ 0, 

(iii) there exists s G J'{t) with x G var(s) and a C- 
dominated substitution 9 in normal form such that 
s9 G C® and a{x) = 9{x). 

To illustrate the definition and the property mentioned 
above, consider, as an example, t — c® x and the substi- 
tution 9{x) = d ® m, with d G C®, and a C-dominated, 
standard term m (f. C® ™- normal form. In this case, we 
can choose a{x) — d(Bx according to (u). With 9'{x) = m. 



we obtain ^t9~' = '"c © d"' © to = {'~ta~')9'. If 9{x) were 
d G C®rmi then (iii) would be appfied. 
We can show (see the appendix): 

Lemma 12. For a C-dominated term t, the set E(t) can he 
computed in exponential time in the size oft. 

We are now ready to define the reduction function which 
turns T into T+. The Horn theory r+ is given in Fig. [2l 
With the results shown above, it is clear that T+ can be 
constructed in exponential time from T. The Horn clauses 
in (ini)-® simulate the ©-rule in case the terms we consider 
are C-dominated. The other rules in T are simulated by 
the rules in ([5|), which are constructed in such a way that 
they allow us to produce messages in normal form for input 
messages in normal form. 

We can now state the main theorem of this paper. This 
theorem states that a message (a secret) can be derived 
from T using derivations modulo XOR if and only if it can 
be derived from r+ using only syntactic derivations, i.e., 
no algebraic properties of XOR are taken into account. As 
mentioned, this allows to reduce the problem of verifying 
secrecy for cryptographic protocols with XOR, to the XOR- 
free case. The latter problem can then be handled by tools, 
such as ProVerif, which otherwise could not deal with XOR. 

Theorem 1. For a C-dominated Horn theory T and C- 
dominated message h in normal form, we have: T b if 
and only if h b. 

Before we prove this theorem, we illustrate the reduction 
by our running example. 

4.2 Example 

Consider the Horn theory Tp^^^^ of our running example. 
As mentioned in Section[3l this Horn theory is C-dominated 
for C = {a,b}. In what follows, we illustrate how Tp 
looks like, where the elements of C are ordered as a <c b. 

First, consider the instances of Horn clauses of Tp,^^^^ 
given by ([5]). Only the Horn clauses in ^ have fragile 
subterms. All other Horn clauses have only one instance 
in Tt : the rule itself. This is because for such Horn 

clauses !](•) contains only one substitution, the identity. 
The Horn clause in ((S]) has one fragile subterm, namely 
X. Hence, the domain of every substitution in the corre- 
sponding S-set is {x}, and according to Definition IH this 
set contains the following eight substitutions: item (i) gives 
CTi = {x/x}; item (u) gives (T2 = {a®x/x}, = {b®x/x}, 
and (T4 = {(a © 6) © x/x}; item (iii) gives (75 = {0/a;}, 
(jg = {O'/x}, O'j = {bjx^, and a% — {a ® bjx^. For each 
of these substitutions we obtain an instance of ([3]). For 
example, CT4 yields 

\{\{{a ®b)(Bx, a)^p,b(sfc,)) ^ miMb, a), a © a;) Jp,b(sfcj)- 
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'~ri(T~', . . . , '~r„cr~' — > '"j'ocr"' for each C-dominated rule ri, . . . , r,j vq of T and each cr G E({ro, . . . , (5) 

1(c), I(c') ^ I(^c e c'^) for each c, c' G C®,^ (6) 

1(c), I(.t) I(c © a;) for each c G C®„m (7) 

I(c),I(c'©a;) ->I('"c©c'"'©a;) for each c, c' G C^^m (8) 

I(c©a:),I(c' ©a;) ^ I('"c® c'"') for each c, c' G C^^m (9) 



Figure 2: Rules of the theory T+. We use the convention that /(O © x) stands for I{x). 



Now, consider the Horn clauses induced by ([B])-®. For 
example, the set of Horn clauses (jS]) contains among others: 
I(a©6), I(6©x) l{a®x) and 1(6), I(a©a;) I((a©6)©a:). 

4.3 Proof of Theorem [l] 

In what follows, let T be a C-dominated Horn theory and 
& be a C-dominated message in normal form. Note that 
= b. The following lemma proves that our reduction is 
sound, i.e., that T+ h b implies T h© b. 

Lemma 13. If n is a syntactic derivation for b from , 
then TT is a derivation for b from T modulo XOR. 

Proof. Let tt be a syntactic derivation for b from T+. To 
prove the lemma it suffices to prove that each 7r(i) can be 
obtained by a derivation modulo XOR from T and 7r<i. If 
7r(z) is obtained from and 7r(fc) for j, k < i, using one 
of the Horn clauses ([I])-®, then we can apply the ©-rule 
with 7r(j) and 7r(fc) to obtain 7r(j) © 7r(i) ~ 7r(i). 

Now, suppose that 7r(i) is obtained using a Horn clause 
in ([5]) of the form '"ricr"', . . . , '~r„CT~' — > ^rocr"' for some Horn 
clause (ri, . . . ,r„ vq) G T and some a £ S((ro, . . . ,r„)). 
Hence, there exists a substitution 9 and, for each k G 
{!,... ,n}, there exists j < i such that 7r(j) = ^rkcr^O ^ 
{rka)0 = rk{a9). So, we can use the rule ri, . . . , r„ tq 
to obtain ro(cr6') = (rocr)0 ~ ^r^a^O = 7r(i). Note that 
^t~^ ^ t and if t ~ i', then to- ~ t'a for all terms and 
substitutions a. □ 

To prove the completeness of our reduction, i.e., that 
T h© & implies h 6, we first prove the property of E(i) 
mentioned before Definition 21 For this, we need the fol- 
lowing definition. 

Definition 5. Let t be a C-dominated term and 9 be 
a C-dominated, ground substitution in normal form with 
dom(0) — var(t). Let a = a{t,9) be the substitution de- 
fined as follows. The domain of a is the set of all variables 
that occur in some s G J'{t). Let x be such a variable. 
We define a{x) according to the following conditions, which 
have decreasing priority: 

(a) If there exists s G !F{t) with x G var(s) such that s9 G 
C®, then a{x) = 9{x). 



(b) Otherwise, if a; G T{t) and 9{x) = c©s', for c G C® and 
some standard term s' not in C®, then a{x) = c® x. 
(Note that c 7^ since 9{x) is in normal form.) 

(c) Otherwise, cr{x) — x. (Note that in this case we know 
that 9{x) is some standard term not in C® if a; G J-{t).) 

Equipped with this definition, wc show (see the ap- 
pendix) the property of I](i) mentioned before Definition [D 

Lemma 14. Let t be a C-dominated term and 9 be a 
Q- dominated, ground substitution in normal form with 
dom(0) = var(t). Then, a = (y{t,9) G S(i) and there exists 
a substitution 9' such that 9 = a9' , i.e., 9{x) — ct{x)9' for 
every x G Aom.(9), and '~t'9^ = ^t'a~^9' for every subterm t' 
oft. 

We can now show the completeness of our reduction. 

Lemma 15. If tt is a C-dominated derivation for b from T 
modulo XOR, then '"tt^ is a syntactic derivation for b from 
T+. 

Proof. We show that every '~7r(i)^ can be derived syntacti- 
cally from T+ and '~7r<j^. Two cases are distinguished: 

Case 1: n{i) is obtained from 7r(j) = l{t) and ^{k) — I(s), 
for j, k < i, using the ©-rule. In that case 7r(i) ^ I(t©s). By 
assumption i, s, and t(Bs are C-dominated, and hence, '~t^, 
'"s"', '"iffis"' are either normalized standard terms not in C®, 
terms in C® or terms of the form c®u for c G C®^^ and a 
normalized standard term u ^ C®, respectively. However, it 
is not the case that '~t~^ = cOu or '~t~' = u and '~s~' — u' ^ C® 
or '~s~' = c' © m' with u ^ u' since otherwise ^t © s~' would 
not be C-dominated. Now, it is easy to see that ©-rule can 
be simulated by one of the Horn clauses ([SI)-®. 

Case 2: 7r(i) is obtained using some C-dominated rule 
(ri, . . . ,r„ ro) G T and a ground substitution 9. Since 
TT is C-dominated, by Lemma [B] and [3] we may assume that 
9 is C-dominated. Since tt is a derivation modulo XOR, 
we may also assume that 9 is in normal form. We have 
that 7r(i) tq^ and there exist ji,...,jn < i such that 
7i"(jfc) ^ rk9, for all k e {1, . . . ,n}. 

Let a — a{{ro, . . . ,rn),9) and let 9' be as specified in 
Lemma UM By Lemma [TH a G I]((ro, . . . , r„)). Now, to 
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obtain '~7r(i)^, we can use the rule p — (^ricr"', . . . , '~r„cr~' 
'"rocr"') g T+ with the substitution 9' . In fact, by 
Lemma fT4| we have that ^Vkcr^O' = '~rkO~' — '~7r(jfc)~' for all 
k S {0, . . . , n}, where jo — 0. (Recall that for C-dominated 
terms s and t with s ^ t, we have that '~s~' = ^t"'.) □ 

Now, from the above lemma and Proposition [T] it imme- 
diately follows that r h® 6 implies T+ h b. 

5 Authentication 

In the previous section, we showed how to reduce the deriva- 
tion problem modulo XOR for C-dominated Horn theories 
to the syntactic derivation problem. While the derivation 
problem corresponds to the secrecy problem for crypto- 
graphic protocols w.r.t. an unbounded number of sessions, 
in this section, we will see that it is not hard to extend our 
result to authentication properties. 

Authentication as Correspondence Assertions 

Authentication properties are often expressed as correspon- 
dence assertions of the form end(a;) begin(x) where x de- 
scribes the parameters on which the begin and end events 
should agree. This correspondence should be read as fol- 
lows: If event end(a;) has occurred, then also event begin(a;). 
For example, end(a,6, n) ^ begin(a, 6, n) could be inter- 
preted as: If b thinks to have finished a run of a protocol 
with a in which the nonce n was used (in this case event 
end(a, 6, n) occurred), then a has actually run a protocol 
with b in which n was used (in this case event begin(a, 6, n) 
occurred). To check such correspondence assertions in the 
Horn theory based approach, roughly speaking, the proto- 
col rules are augmented with atoms representing events of 
the form begin(a;) and end(a:) (see, e.g., for details). 

For our running example, this is illustrated in Figure [3l 
In p^ . the end event indicates that b believes to have 
talked to a and the nonce m(6, a, sid, x) was used in the 
interaction, where x is the nonce b believes to have received 
from a and sid is a session identifier. The parameters x 
and sid are added to the term representing the nonce in 
order to make the analysis more precise. In particular, the 
session identifier is added in order to make the correspon- 
dence stronger: The events should not only correspond on 
the names and the nonces used in the protocol run, but 
also on the session identifiers. Note that without the ses- 
sion identifier, correspondence of sessions would otherwise 
not be guaranteed since in the Horn theory based approach 
new protocol runs do not necessarily use completely fresh 
nonces. The begin event in indicates that a just re- 
ceived the response from b and now outputs her response 
to b, where the begin event contains the nonce received from 
b. 



We note that, strictly speaking, the Horn theory depicted 
in Figure [3] falls out of the class of Horn theories that we 
allow, not because of ©-linearity but because of the fact 
that the variable sid occurs on the right-hand side of a 
Horn clause but not on the left-hand side (see pU]) and 
(ITlT) ). However, as we noted in Section [2l this assumption 
can easily be relaxed for variables that are supposed to be 
substituted only by C-dominated terms, which is the case 
for session identifiers. 

Now, let T be a Horn theory model of a protocol and an 
intruder, i.e., T consists of a set of protocol rules (such as 
those in Figure [3]), a set of initial intruder facts, and a set of 
intruder rules. Following Blanchet [3], we say that a (non- 
injective) correspondence assertion of the form end (a;) ^ 
begin (x) is satisfied by T if 

for every finite set of messages B and every mes- 
sage mo ^ B, it holds that T U {begin(m) | m £ (14) 
B}^(S end(mo), 

where B = {t \ there exists t' <E B and t ^ t'}. In [3], 
this formulation (more precisely, a syntactic version, i.e., 
the XOR-free version) is somewhat implicit in a theorem 
which reduces correspondence assertions in process calculus 
to Horn theories. Blanchet then proposes a method for 
proving the syntactic version of (|14[) using ProVerif. 

Extending Our Reduction to Correspondence 
Assertions 

The following theorem extends our reduction presented in 
Section [4] to the problem of solving p4)) with XOR. In fact, 
we show that if in (fT4|l the (C-dominated) Horn theory T is 
replaced by T"*" (i.e., we can use the same reduction function 
as in Section [4]), then derivation modulo XOR ( h® ) can 
be replaced by syntactic derivation ( K ). Now, the latter 
problem (the syntactic version of ^4]) ) can be solved using 
ProVerif. Formally, we can prove: 

Theorem 2. Let T be a C-dominated Horn theory. Then, 
()14|) holds iff for every finite set of messages B and ev- 
ery message mo ^ B, it holds that T+ U {begin (to) | m G 
B}^ end(mo). 

The proof of this theorem requires some slight extension 
of PropositionlU stated below, in which an injective version 
of A is used, i.e., t ^ t' should imply that A{t) 9^ A(f ). 
This is needed to guarantee that if toq ^ B, then A(mo) ^ 
A(B)_- 

This can be achieved by fixing an injective function 7 
which takes a term to some term built from and (■, ■) (or 
any other function which the intruder can apply). We also 
add the fresh constant cq to the intruders knowledge. Now, 
for a bad term t = c © © • • ■ © we define A(<) = 
c © ti ffi • • • © i„ © {7(^)1^ . The important property of 
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I({a^.a}p^b(fc.)) 
begin(a, b, y), l{{y, n{a, b, sid) © &}pub(fej) 



I({n(a,6, sid),a}p^b(fe,)) 
I({m(6, a, sid, x), a; © ^'}pub(fe„)) 

I({y}pub(fe,)) 

end(a, 6, r7i(5, a, sirf, a;)) 



for every a e H, 6 € P (10) 

for every 6 e H, a e P (11) 

for every a e H, 6 e P (12) 

for every 6 G H, a G P (13) 



Figure 3: Rules for authentication [sid is a variable intended to range over session identifiers). 



{7('')}co that the intruder can derive this message and 
that it is unique for every term t. 

Proposition 2. Let T be a C-dominated Horn theory, B 
be a finite set of facts, and a be a fact. If T U B he a, 
then there exists a C-dominated derivation for A(a) from 
T U A(B) modulo XOR. 

The proof of this proposition is very similar to the one of 
Proposition [TJ Only minor modifications are necessary. 

Now, to prove Theorem [21 it suffices to show that the fol- 
lowing conditions are equivalent, for a C-dominated theory 
T: 

(i) there exist a finite set of messages B and a mes- 
sage mo ^ B such that T U {begin(m) | m e 
B} he end(mo) 

(ii) there exist a finite set of C-dominated messages B 
and a C-dominated message toq ^ B such that T U 
{begin(m) | m € i?} he end(TOo). 

(iii) there exist a finite set of C-dominated messages B 
and a C-dominated message toq 4. B such that T+ U 
{begin(m) | m e B} h end(mo). 

(iv) there exist a finite set of messages B and a message 
uiQ ^ B such that T+ U {begin(m) \ m e B} h 
end(mo). 

Proof. The implication (i)=J>(ii) follows from Proposition [5] 
and by the fact that A is injective; (ii)^(iii) is given by 
Theorem [T] (we use the fact that T U {begin (to) | to G S} 
is C-dominated and the fact that (T U {begin (to) | to S 
B})+ = r+ U {begin(TO) | to £ ^B~'} ); (iii)^(iv) is trivial; 
finally, (iv)^(i) is given by Lemma fT3l □ 



6 Implementation and Experiments 

We have implemented our reduction, and together with 
ProVerif, tested it on a set of protocols which employ the 
XOR operator (see [17] for the implementation). In this 
section, we report on our implementation and the experi- 
mental results. 



6.1 Implementation 

We have implemented our reduction function in SWI prolog 
(version 5.6.14). Our implementation essentially takes a 
Horn theory as input. More precisely, the input consists 
of (1) a declaration of all the functor symbols used in the 
protocol and by the intruder, (2) the initial intruder facts 
as well as the protocol and intruder rules, except for the 
0-rule, which is assumed implicitly, (3) a statement which 
defines a secrecy or authentication goal. Moreover, options 
that are handed over to ProVerif may be added. 

Our implementation then first checks whether the given 
Horn theory, say T, (part (2) of the input) is ©-linear. If 
it is not, an error message is returned. If it is, a set C is 
computed such that the Horn theory is C-dominated. Recall 
that such a set always exists if the Horn theory is ©-linear. 
It is important to keep C as small as possible, in order for 
the reduction to be more efficient. Once C is computed, the 
reduction function as described in Section 2] is applied to 
T, i.e., T"*" is computed. Now, T+ together with the rest of 
the original input is passed on to ProVerif. This tool then 
does the rest of the work, i.e., it checks the goals for T+. 
This is possible since, due the reduction, the XOR operator 
in r+ can now be considered to be an operator without any 
algebraic properties. 

Our implementation does not follow the construction of 
the reduction function described in Section |4] precisely, in 
order to produce an output that is optimized for ProVerif 
(but still equivalent): a) While terms of the form c © t, 
with c S C®, t ^ C® are represented by xor(c,t), terms 
a© 6 € C®rm 9.re represented by xx(a, b). This representa- 
tion prevents some unnecessary unifications between terms. 
However, it is easy to see that with this representation, 
the proofs of soundness and completeness of our reduction 
still go through. The basic reason is that terms in C®^^ 
can be seen as constants, b) For the Horn clauses in Fig- 
ure [21 (l6|)-([9|), we do not produce copies for every choice 
of c, c' G C®,,^. Instead, we use a more compact repre- 
sentation by introducing auxiliary predicate symbols. For 
example, the family of Horn clauses in ([8]) is represented 
as follows: xtab(x, y, z), I(y), I(xor(x, t)) — » l(xor(z,t)), 
where the facts xtab(c, c', '~c © c'^) for every c, c' S C® 
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Figure 4: Experimental Results. 



are added to the Horn theory given to ProVerif. 
6.2 Experiments 

We applied our method to a set of (©-linear) protocols. The 
results, obtained by running our implementation on a 2,4 
Ghz Intel CoreTM 2 Duo E6700 processor with 2GB RAM, 
are depicted in Figured! where we list both the time of the 
reduction and the time ProVerif needed for the analysis of 
the output of the reduction. We note that except for certain 
versions of the CCA protocol, the other protocols listed in 
Figure [4] are out of the scope of the implementation in [14], 
the only other implementation that we know of for cryp- 
tographic protocol analysis w.r.t. an unbounded number of 
sessions that takes XOR into account. As mentioned in the 
introduction, the method in [14] is especially tailored to the 
CCA protocol. It can only deal with symmetric encryption 
and the XOR operator, but, for example, cannot deal with 
protocols that use public-key encryption or pairing. Let us 
discuss the protocols and settings that we analyzed in more 
detail. 

By NSLq we denote our running example. Since there is 
an attack on this protocol, we also propose a fix NSL0-fix 
in which the message ^ ® 5)|}pub(sfe^) is replaced by 
^(Af,/i((iV,M)) ® S)^p^b(.fc^) for a hash function h{-). We 
analyze both authentication and secrecy properties for these 
(©-linear) protocols. 

The (©-linear) protocol SK3 [18] is a key distribution pro- 
tocol for smart cards, which uses the XOR operator. RA de- 
notes an (©-linear) group protocol for key distribution [6]. 
Since there is a known attack on this protocol, we proposed 
a fix: a message kA,B®h{{key{A), N)) sent by the key distri- 
bution server to A is replaced by kA,B(Bh{{key{A), {N, B))). 

CCA stands for Common Cryptographic Architecture 
(CCA) API [1] as implemented on the hardware security 



module IBM 4758 (an IBM cryptographic coprocessor). 
The CCA API is used in ATMs and mainframe comput- 
ers of many banks to carry out PIN verification requests. 
It accepts a set of commands, which can be seen as receive- 
send-actions, and hence, as cryptographic protocols. The 
only key stored in the security module is the master key 
KM. All other keys are kept outside of the module in the 
form {k}KMmypej where type e {data, IMP, EXP, pin} de- 
notes the type of the key, where each type is some fixed con- 
stant. The commands of the CCA API include the follow- 
ing: Commands for encrypting/decrypting data using data 
keys. Commands to export/import a key to/from another 
security module. This is done by encrypting/decrypting the 
key by a key-encryption-key. 

In Figure [51 we model the most important commands 
of the CCA API (see also [14]) in terms of Horn clauses. 
( Encipher^ and {Decipher) are used to encrypt/decrypt 
data by data keys. ( KeyExportl is used to export a key 
to another security module by encrypting it under a key- 
encryption-key, with \KeyImport\ being the correspond- 
ing import command. The problem is to make the same 
key-encryption- key available in different security modules. 
This is done by a secret sharing scheme using the com- 
mands \KeyPa'rtImp-First\ - \KeyPartImp-Last\ ^ where KP 
is a type (a constant) which stands for "key part" , kek is 
obtained as /cl © fc2 © A:3, and each ki, i e {1, 2, 3, }, is sup- 
posed to be known by only one individual. \Key Translate ] 
is used to encrypt a key under a different key-encryption- 
key. 

We note that some of the Horn clauses in Figure [51 
namely \KeyPartImp-Middle\ and \KeyPartImp-Las^ , are 
not linear. Fortunately, one can apply a standard unfolding 
technique for Horn clauses together with straightforward 
simplifications to obtain an equivalent Horn theory with 
only ©-linear rules. 

There are several known attacks on the CCA API, which 
concern the key-part-import process. One attack is by Bond 
[5] . As a result of this attack the intruder is able to obtain 
PINs for each account number by performing data encryp- 
tion on the security module. A stronger attack was found 
by IBM and is presented in [8] where the intruder can ob- 
tain a PIN derivation key, and hence, can obtain PINs even 
without interacting with the security module. However, 
the IBM attack depends on key conjuring 14], and hence, 
is harder to carry out. Using our implementation (together 
with ProVerif) and the configuration denoted by CCA-0 in 
Figure m we found a new attack which achieves the same as 
the IBM attack, but is more efficient as it does not depend 
on key conjuring. Our attack is presented at the end of this 
section. 

In response to the attacks reported in [5] , IBM proposed 
two recommendations. 

Recommendation 1. As mentioned, the attacks exploit 
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Figure 5: CCA API , where km denotes a constant (the key master stored in the cryptographic coprocessor), type is a 
constant that ranges over the constants in {data, imp, exp, pin}, and aU other symbols (x, y, fc, ...) are variables. 



problems in the key-part-import process. To prevent these 
problems, one IBM recommendation is to replace this part 
by a public-key setting. However, as shown in [M], fur- 
ther access control mechanisms are needed, which essen- 
tially restrict the kind of commands certain roles may per- 
form. Two cases, which correspond to two different roles, 
are considered, and are denoted CCA-IA and CCA-IB in 
Figure ID We note that the Horn theories that correspond 
to these cases are ©-linear, and hence, our tool can be ap- 
plied directly, no changes are necessary; not even the trans- 
formations mentioned above. Since public-key encryption 
(and pairing) cannot be directly handled by the tool pre- 
sented by Cortier et al. [Hj, Cortier et al. had to modify 
the protocol in an ad hoc way, which is not guaranteed to 
yield an equivalent protocol. This is also why the runtimes 
of the tools cannot be compared directly. 

Recommendation 2. Here additional access control mecha- 
nisms are assumed which ensure that no single role is able 
to mount an attack. We analyzed exactly the same subsets 
of commands as the ones in [l3]. These cases are denoted 
CCA-2B, -2C, and -2E in FigurelH following the notation in 
[l4] . The runtimes obtained in [M] are comparable to ours: 
333s for CCA-2B, 58s for -2C, and 0.03s for -2E. 

Our Attack. As we noted before, our tool found an at- 
tack which — according to our knowledge — has not been dis- 
covered before. This attack uses the same assumptions as 
Bond's attack in terms of the role played by the intruder 
and his knowledge. As in the IBM attack, we use the fact 
that is the default value for data. 

Our attack does not use key conjuring, and hence, is eas- 
ier to carry out than the IBM attack. As a result of the 
attack, the intruder obtains a pin derivation key in clear 
(like in the IBM attack). 



In the attack we assume that a new key-encryption-key 
kek needs to be imported, using the three-part key import 
commands \KeyPartImp-First\ - \KeyPartImp-Las^ , which 
means that kek = hi ® k2 ® fc3, where kl, fc2, fc3 are the 
shares known by three different individuals. 

The key kek is then used to import a new pin-derivation 
key pdk to the security module, in the form 

{pdk}kek(BPm- (15) 

We assume that this message can be seen by the attacker 
and that the attacker is the third participant of the process 
of importing kek. In particular, the attacker can perform 
\KeyPartImp-Las^ , knows the value A;3, and obtains the 
message 

{/cl © A:2}km©kp©imp- (16) 

Now we describe the steps of the attack. After the 
intruder receives (|16|) . he uses \KeyPartImp-Las^ with 
kZ © PIN instead of fc3. In this way he obtains 

{kek ffi pin}km©imp 

(Al) 

He uses the same command again, this time with A:3ffiPiN© 
EXP, obtaining: 

{kek ffi PIN ffi EXPjKMffiiMP (A2) 

Next, when pdk is imported, the intruder uses \KeyImport\ 
twice: The first time with input (|A1[) . (|15p . and type = 
DATA = 0, resulting in the message 

{ pdfc }km©data ■ (A3) 

The second time with input (jA2p . (fT5)) . and type — exp, 
resulting in the message 

{p(ifc}KM©EXP- (A4) 
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Now, using \KeyExport\ with input (jA3p . (jA4p . and type = 
DATA ~ 0, the attacker obtains 

{pdk}pdk®oKTK = {prffcjpdfc- (A5) 

FinaUy, using \DecipheT\ with input (jA5P and (IA3p . the 
attacker obtains the clear value of pdfc, which can be used to 
obtain the PIN for any account number: Given an account 
number, the corresponding PIN is derived by encrypting 
the account number under pdk. 

A Proofs for Section [3] 

In what follows we will use the following notation: t t' 
if t and t' are coincide up to transformation modulo AC, 
with standard terms kept unchanged. For example, (a © 
(a © h, b)) e b (a e 6) © (a © 6, b) (a © 6) © {b ®a,b). 

Proof of Lemma [4l 

Assume that r' is a complete bad subterm of rd. We pro- 
ceed by structural induction on r and consider the following 
cases: 

• r = X is a variable: Because 9 is ©-reduced, so is 6{x). 
So, since r' is a subterm of 9(x) and 9{x) ~ LemmaO 
implies that there exists a complete bad subterm t' of 
t with t' - r'. 

• r = /(^i, . . . , r„), for / ^ ©: In this case, i is of the 
form f{ti, . . . , i„) with U ^ TiO. Since rO is not bad, 
r' is a subterm of r^^ for some i G {!,..., n}. By 
the induction hypothesis, there exists a complete bad 
subterm t' of ti (and thus, of t) with i' ~ r'. 

• r = c, for c e C®: We have that r9 = r. Since r is C- 
dominated it follows that c does not contain complete 
bad subterms. Hence, nothing is to show. 

• r %c c©r" with c e C® and r" ^ C® standard, but not 
a variable: The case that r' — rO cannot occur since 
this term is not a bad term. Since r is C-dominated, 
c does not contain a complete bad subterm. Hence, r' 
cannot be a subterm of c6 = c. So r' is a subterm of 
r"e. 

Let s ^ r"6', for some ©-reduced term s G C®. So, we 
have that t c© s. Since r", as a proper subterm of r, 
is C-dominated, from the fact that r' is a complete bad 
subterm of r"9 it follows by the induction hypothesis 
that there exists a complete bad subterm t' of s with 
r' ~ t'. Now, since c is C-dominated (because by as- 
sumption r is), and hence, c does not contain complete 
bad subterms, it follows that t' occurs as a subterm in 
t. 



• r =^^; c © x, for c e C® and a variable x: Assume that 
9{x) ^ c'©ii©- • -©in with n > 0, c' G C®, and pairwise 
©-distinct standard terms ii, . . . , t„ ^ C. First assume 
that r' — r9, which implies that n > 1. Then we can 
set t' — t since t' = t ^ r9 = r' . Otherwise, since 
r is C-dominated, it follows that c does not contain 
a complete bad subterm. Hence, r' is a complete bad 
subterm of c' or there exists i such that r' is a complete 
bad subterm of U. In any case, this term, let us call it 
t" , does not coincide with any standard term Ci with 
c = ci © . . . © Cfc because these terms do not contain 
complete bad subterms. Hence, t" is equivalent to some 
term t' in t. Thus, there exists a complete bad subterm 
t' of t with r' - t'. □ 

Proof of Lemma m 

We proceed by structural induction on s: 

• s — X is a variable: We can set t' — t. 

• s is standard: Then s ^ t, and thus, for one of the di- 
rect subterms s' of s, s'9 has to contain i as a complete 
subterm. By the induction hypothesis, there exists a 
variable x e var(s') C var(s) such that 9{x) contains a 
complete bad subterm t' with t' ~c t. 

• s G C®: This case is not possible, since s = s9 is C- 
dominated, and hence, cannot contain a complete bad 
subterm. 

• s c ffi s' , where c G C® and s' ^ C® is standard, 
but not a variable: Then, t ^ s9 since s9 is not a bad 
term. Moreover, c is C-dominated (since it belongs to 
s), and hence, cannot have t as a subterm. Hence, t 
must be a subterm of s'9 and we can use the induction 
hypothesis. 

• s c(Bx, for c £ C® and a variable x: If i ~ {c(Bx)9, 
we can choose t' — 9{x), since t' ~c t- Otherwise, 
since c is C®-dominated, and hence, does not contain 
complete bad subterms, it follows that t is a subterm 
of 9{x). Hence, we can choose t' = t. □ 

B Proofs for Section |4] 
Proof of Lemma 1121 

We start with showing that matching of C-dominated terms 
modulo XOR yields a uniquely determined matcher modulo 
XOR, if any, and this matcher can be computed in polyno- 
mial time. 

Claim 1. Let s be a C-dominated term and t be a ground 
term. Then, the matcher of s against t is uniquely deter- 
mined modulo XOR, i.e., \i s9 ^ t and s9' ~ t for substi- 
tutions 9 and 9' , then 9{x) ^ 9'{x) for every x G var(s). 
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Moreover, the matcher of s against t can be computed in 
polynomial time in the size of s and t. 

Proof. We show how to compute the unique (modulo XOR) 
matcher of s against t. The computed matcher will be in 
normal form. First, for substitutions ai and (T2 we define 
CTi U (72 as CTi U CT2 if for each x G dom((Ti) D dom(f72) we 
have that ai{x) — a2{x). Otherwise, ai U CT2 is undefined. 

We obtain the matcher ct of s against t recursively as 
follows. We can assume that both s and t are in normal 
form (one can transform a term t into its normal form ^t"' 
in polynomial timejl. We consider the following cases: 

1. s = x is a variable: Then a ~ {t/x}. 

2. s is a ground term: Then = if s = t. Otherwise, the 
matcher does not exist. 

3. s = c (B s' , for ground c and nonground, standard s': 
Then a is the matcher of s' against the term © f. 

4. s = f{si, . . . , s„), for / ^ ®, non ground: 

U t ~ f{ti, . . . , t„), we take tr = ai U • • • U (T„, where 
ai, for i e {l,...,n}, is the matcher of Si against U. 
Otherwise, i.e. if such a a does not exist, the matcher 
does not exist. 

It is easy to show that this algorithm computes a matcher 
of s against t, if it exists, and moreover, that this matcher 
is unique. □ 

Now, we are ready to prove Lemma 1121 The domain of 
every substitution in T,{t) is polynomial, since it is a subset 
of var(t). Hence, it suffices to show that for every variable 
in the domain there are only exponentially many possible 
values and these values can be computed effectively. This 
is clear for the case (i) and (ii) in Definition [H as C®^^ is 
bounded exponentially (in the size of C). 

As for case (iii), let s,x and 9 be given as in this case. 
Note that s is C-dominated. Hence, is the unique matcher 
of s against some c £ C®,,.^. Because can be computed 
from s and c in polynomial time and, moreover, both s 
and c range over exponentially bounded sets (in fact, J-{t) 
is polynomial and C®,.^ is exponential), the claim of the 
lemma follows. 

Proof of Lemma 1141 

Let t and be given as in the lemma. By construction, it 
is easy to see that a — a{t,9) £ S(t). It is also easy to 
see that there exists 9' such that 9 — a9' and the domain 
of 9' is the set of all variables that occur in some (j{x) for 
X e dom(x). Note that 9' is uniquely determined. Let t' be 
a subterm of t. We need to show that ^t'9~^ = '~t'a~'9'. We 
proceed by structural induction on t' . 

^So far, we defined only for C-dominated terms. Now, we need 
to extend the definition of to work for all terms. Such a extension 
is straightforward. So we skip it. 



First, suppose that t' £ var(t): Let x = t' . We distinguish 
the following cases: 

(a) If ct(x) was defined according to Definition O (a), then 
a{x) = 9{x). It follows that ^x9~' = ^x(7^9'. 

(b) Otherwise, if (j{x) was defined according to Defini- 
tion[5l (b), then x E T{t), 9{x) ^ c® s\ for c G C®^^ 
and some normalized standard term s' not in C®, 
and (y{x) — c ® x. It follows that 9'{x) = s' and 
rxa^9' = ^c®x^9' = {c(Sx)9' = c©s' = ^c©s'^ = ^x9^. 

(c) Otherwise, if cr(x) was defined according to Definition^ 
(c), then a{x) — x and 9'{x) ~ 9{x). Since 9{x) is 
normalized, it follows that '~x9^ — '~xa^9' . 

Second, suppose that t' = /(ti, . . . , t„), for / ^ ©: 
By the induction hypothesis, it follows that '~t'9~' — 
fi^h9^, . . . , ^tn9^) = fi^ha^9\ . . . , ^t^a^9') - ^t'a^9'. 

If we suppose that t' ^ c, for c G C®^^^, then it immedi- 
ately follows that ^t'9^ = ^t'a^9'. 

Now, suppose that t' ^ c © x, for c G C®rm- We distin- 
guish the following cases: 

(a) If (j{x) was defined according to Definition [5l (a), then 
(7[x) = 9[x). It follows that ^t'9^ = ^t'a^9'. 

(b) Otherwise, if (t{x) was defined according to Dcfini- 
tionO (b), then x G T{t), 9{x) = c' © s', for c' G C®^^ 
and some normalized standard term s' not in C®, 
and a{x) — c' ® x. It follows that 9'{x) — s' and 
^t'a^9' = ^c®c'®x^9' = ^c®c'^®x9' = ^c©c'^©s' = 
^c©c'©s'^ = ^t'9^. 

(c) Otherwise, if a{x) was defined according to Definition[Sl 
(c), then a{x) — x and 9'{x) = 9{x). Since x G J^{t) 
and items (a) and (b) of Definition [5] do not hold, 9'{x) 
is a normalized standard term not in C®,,.^,. It follows 
that ^t'9-' = © 9{xy = c © 9{x) = ^t'cr^9'. 

Finally, suppose that t' ^ c © s, for c G C® ^ 
C-dominated, standard subterm s of t' with s ^ C® and 
s ^ var(i): We distinguish the following cases: 

(a) If s9 G C®, then a{x), for x G var(s), was defined 
according to Definition [5l (a) since s G J-'{t). Hence, 
a{x) = 9(x) for all x G var(s), and thus sa is ground 
and sa = s9. It follows that '~t'9^ = '"c © s9'^ = ^x® 
sa^ = ^x®sa^9' = ^t'a^9'. 

(b) Otherwise, if s9 ^ C®, by the induction hypothesis it 
follows that '~s9^ = '~sa~'9'. We have also that sa is not 
in C® (otherwise, s9 would be also in C®). Moreover, 
since s9 ^ C®, we obtain that '~t'9^ = c © '~s9~' = 
c®^sa^9' ^^{c®s)a^9' = ^t'a^9'. □ 
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